Tuesday, October 5, 2010

Changing Password does not Secure Hacked E-mail Account

People are baffled when their Gmail account is re-compromised and often have no idea how it keeps happening. So I’ve laid out some of the more obvious items that need to be checked to ensure that your Gmail/Google account is locked down.

Mind your filtersThe best method for an attacker to get back into your account is to keep reading your emails even after you’ve changed your password. So the basics of any Gmail backdoor will be to setup some email forwarding rules that send him or her a copy of your messages as they arrive - including password reset messages. Make sure you disable these following any compromise.

Under Settings> Forwarding and POP/IMAP ensure that disable forwarding is selected and that your incoming email is not being forwarded to the attacker. Next, check your filters list in Gmail and make sure there are not any rules setup that forward email to the attacker.

Check the Password Recovery settingsThe next best method of a backdoor is for the attacker to have the ability to recover or reset your password. This is not the sneakiest of routes but it accomplishes the job well. Ensure an additional recovery email address was not added to your account.This will allow an attacker to get the password reset link straight to his email.

Make sure the SMS number has not been changed in Google account settings. Also, make sure your security question has not been changed to a question known by the attacker. Sneaky attackers will leave your question the same but change the answer to one they know. Go ahead and change your question and answer.

Watch out for rogue applications
Gmail isn't just an email program, its part of an entire Web based application ecosystem. Check your authorized applications to see if the attacker added their own malicious application to be allowed on your account.

Everyone today adds social applications and gives permission to their Facebook/Google accounts through third party applications. Most people don't even look at what permissions the third party applications have.

In Gmail applications can pretty much do everything an attacker would want to do. Even better, from the attacker's stand point, is that no one even knows where how to revoke or check permissions on these applications once they've been approved, they're forgotten.

There are open source applications will grant full IMAP/SMTP access using OAUTH. Once the Gmail account is hijacked, an attacker can run this script and grant access to the application for full privileges.

Think beyond e-mail
Not only back doors allowing full access to read email should be considered. Attackers have several options to obtain your data in the world of open social collaboration that is easier then ever.

If you have Google voice, go into voice settings and make sure voicemail and text messages are not being sent to additional email addresses.

If you have important Google documents in Google Docs, ensure the attacker has not enabled sharing. Google calendar is a very nice backdoor. I'm sure you don't want someone unexpectedly dropping in and listening on your next board meeting. If so, there are a couple areas you need to check.

In the Calendar Settings, click on your calendars to display the detailed view and make sure you click "reset private URLs" in the private address section. This will change the private address that can be used to retrieve your calendar feed.

As an attacker I can easily just copy this URL and monitor your calendar. Next, click 'Share this calendar' tab and make sure that no email addresses are added that you don't recognise.